In the description of Super Stealth, it is stated that users can get complete security in their Ethernet segment since they would only be responding to ARP requests from "trusted" hosts (I have not run the plugin but simply read the first thread on the forum - if I am wrong, please fire away :) ).

The assumption being made here is that an intruder would not be able to find your MAC address since your PC would not respond to any ARP requests he issues. If he does not have your MAC address he cannot send you any Ethernet packets.

However, an attacker on your local segment does not need to send an ARP request to find your MAC address. If he puts his network card into "promiscuous mode" (where it passes all packets it receives to the operating system - normally it filters everything except broadcasts, multicasts and packets with its MAC address), he can see what packets your PC is sending or receiving. These would include your MAC address. This is a straightforward task for any sniffer program.

In other words, if your PC is sending or receiving any data on the network, Super Stealth cannot provide real protection. Once an attacker has your MAC address, he can start sending data to your PC where it would be up to Outpost itself to filter it.

Could Super Stealth be altered to change this? Filtering all incoming packets (rather than just ARP requests) except those from "trusted" MAC addresses would make life a little more difficult for an attacker - he would then have to identify a trusted MAC address and alter the source address on his packets accordingly. This would however not be too difficult - using a sniffer again...

One possibility for better security is to have mutating MAC addresses - where your PC's address is frequently changed in a pseudo-random fashion, (eg based on a hash including the current time, previously used address, etc). That way, even if an attacker is using a sniffer, he would only find past addresses - not your current one.

This approach does have real difficulties though. While some network cards allow their MAC address to be changed, I am not certain that all do. This would also require similar software at the router/gateway to keep up with the MAC address changes. At this point, it would appear beyond the scope of Super Stealth or Outpost itself to provide that level of security - and would make network troubleshooting a real pain.

While I do not wish to sound discouraging - I do feel that in its current form, Super Stealth cannot provide more than a few moments' obstruction to a local attacker. Those who need this level of security should be considering solutions like IPsec (which includes packet authentication and encryption at IP packet level as described here (http://www.netbsd.org/Documentation/network/ipsec/)).

Thanks for very detailed post, Paranoid2000. Everything you posted is correct. Yes, SuperStealth will not provide full protection against a experienced attacker.
But here is some of my ideas of SuperStealth origins: Assumption, that user was not attacked by really skilled hacker. Not many tools in the world could protect Windows based box (well, Linux is vulnerable to) against a smart hacker if he really want to get you.
About sniffering: assumption, that coaxial cables are gone forever, as well as hubs for twisted pair cables. Nowadays, network switches are quite a cheap and has a lot of advantages compare to network hubs.
The first goal of this plug-in was to fool ordinary network members in your segment, if they will not start to dig - they will think that your computer is down, and this trick is working :)And I decide to change SuperStealth declamation about "complete protection". Better I'll include link to this thread in SuperSthealth description, if you wouldn't mind, as I count your post as very informative and usefull for other members.

Thanks for the reply Dmut. I have no problem with you linking to this thread (it is your forum after all...) although an edited version of the post may be more useful (feel free to cut and paste...).

The first and third points you made I would agree with (though I would suggest that Outpost on its own could achieve the third).

The second point (there being less use of shared segments with more users connected to switches) is valid, but does suggest less need for Super Stealth in the first place (since ARP requests and responses should not be passed on to other segments by the switch).

I would like to commend you on your reasoned response on this thread - some would take offense at receiving this type of criticism.

I'm sorry if this question was asked before,but wanted to specify if this plugin will protect me of hackers from global network when i connected to Internet through proxy.
I ask about it because I'm very worry about scanning my ports and trying to connect.
By the way,whois plugin want no work in our network.

Help,please,if you'll want and can.Thanks.

Hello Doooh
No, it will not protect you if you don't know how to use it, and how it working.

"whois" is PCFlanks commercial plugin, ask them about it.

Doooh,

The list of connections and port scans you are receiving contains a lot from 193.111.255.12 - a traceroute of this shows that its closest router is at 217.150.36.5 (Severo-Zapad-gw.transtelecom.net). However, all that you are getting are connection requests (no actual attacks being reported) and on ports >1024 (non-system ports).

An actual attack would be more likely to involve connection attempts on ports below 1024 (trying to connect to any servers - web, email, telnet - that may be running on your machine). If you would like an example - pay a visit to PCFlank and run their Exploits test (www.pcflank.com/exploits.htm)

These connection attempts could be because you connected to that address yourself (eg. if it was a web site) and it still thinks you are requesting information (this can happen because of the non-standard way Internet Explorer handles network connections). If you are running a file sharing program (Kazaa, Gnutella, etc) then you would see lots of other sites connecting to you too.

If you are still worried, set the Attack Detection Plugin to block this IP address if attacks are detected (right click on Attack Detection, select Properties and tick the "Block all traffic..." boxes.

Oh,great thanks.Now I'am so quiete.
And about tests-it are available on a site of Sygate for without any pay,IMHO(don't tried yet).